Recently, we advised about the FBI’s warning about a type of malware that has potentially infected somewhere in the range of 500,000 routers. If you haven’t read that, here’s the summary: Reboot your router. To give you more information on why that’s a good idea, we’re going to take a closer look at exactly what this virus does.
The VPNFilter is, in essence, a man-in-the-middle attack that picks up incoming web traffic using an “ssler” module, and injects malicious packets into traffic as it passes through. These packets can then be used to exploit certain devices that are connected to the network. Pretty sneaky.
The man-in-the-middle attack is a pretty serious one, since it gives near unlimited access to incoming and outgoing data. This means that the infection can also, for example, pick up passwords that you use to log into websites. Even transmissions that are normally encrypted aren’t safe, as the malware is also capable of downgrading HTTPS, or SSL encrypted traffic, to plain old HTTP, which makes it readable to outside sources.
Beyond that, there’s also a built in self-destruct code that first erases any trace of the infection, then moves on to delete everything else on the device, effectively transforming your router into a brick.
The scariest part of VPNFilter is that the FBI’s suggestion to reboot the infected router is only a strategy to buy time to combat it. While the man-in-the-middle and self-destruct features of the malware can be eliminated with a reboot, the intrusion that put them there in the first place remains active and waiting on instructions. The FBI seized the domain that controlled these infections, but the functionality for them to be triggered is still active.
The situation is further complicated by how hard the infection is to detect. Your internet service provider may alert you to suspicious traffic if any is detected, and advanced users can check the logs for strange activity, but it otherwise works rather covertly.
To fully get rid of the virus, there’s a few steps that can be taken. Disabling remote administration should prevent the malware from being triggered, and changing the password can undo any access a hacker may have already gained. A factory reset on the device can completely wipe out the infection, and updating the firmware can prevent the router from picking it up again. Doing all of the above would be your best bet at keeping your network safe.
However, doing all the can be difficult, even for a trained technician. When possible, make sure the work is being done by someone familiar with that sort of network equipment. At the very least, take the time to reboot your router. It won’t exactly eliminate the virus, but it will disable it, at least temporarily.